A Password Library
May 20, 2011
Some search systems require log ins. We wanted to pass along what we call a “password library.” Jimmy Ruska gives us a password library update in “Most Common Passwords List from 3 Databases.” We submit this link for your reference.
Writes Ruska,
There has been three instances that I know of where a significant number of hacked account passwords have been publicly released. I have obtained the lists and made a thorough analysis of each of them, including the most common passwords and character frequencies.
Scanning the lists, it’s amazing how many easily hackable choices people use. For example, 123456, password, and letmein feature prominently. Why bother having a password if you don’t take it seriously?
Try a word or phrase that you can remember but that can’t be easily linked to you. Then throw in some numbers and special characters. One technique to help you remember is to replace letters with similar l00king choic3s. This does slow down hacking software considerably. So does using the maximum number of characters.
Remember—the lazy ones are the first victims.
Cynthia Murrell, May 20, 2011
Freebie
Google Images: What Is in Focus? Images or Security? Neither? Both?
May 10, 2011
This weekend (May 7 and 8, 2011), I wanted a US government picture of earth taken from space. I checked out Bing.com but did not spot the image I had in mind. I bopped over to Google.com, clicked on Images, and checked out some snaps. One caught my eye and I clicked it. The Google iFrame thing popped up. I clicked the image, saved a copy to a USB, hit the button on my KVM control, and worked some Photoshop / Gimp distortions. When I clicked back to the machine I use to look at Web sites, malware had taken over the machine. A bit of sleuthing revealed that some clever teenagers at heart had used Google’s iFrame as a vector to corrupt a computer. Nice. This particular exploit left my machine without the ability to do much of anything. If you get snookered by image malware on a Windows machine, you will have to use some crafty techniques such as running Task Manager, clicking on Run when you hold down the Control key, and working with this Swiss cheese operating system. So I got to revert back to my old command line self. Semi fun.
You can find out about the Google images malware thing in “Attackers Using Google Image Search to Distribute Malware.” I noted that in Google’s “Sort by Subject in Google Images,” there was some cheerleading for a function I don’t need. Er, a keyword search is a subject to me. Google is excited about this function. The write up pants:
Sorting by subject uses algorithms that identify relationships among images found on the web and presents those images in visual groups, expanding on the technology developed for Google Similar Images and Google Image Swirl. By looking at multiple sources of similarities, such as pixel values and semantic relationships, and by mining massive amounts of data, we can make meaningful connections and groupings among images.
In my opinion, we have a Microsoft Office type of disconnect. I want to do something and I don’t want software to do something else. Whether I am pasting text or formatting a table, Microsoft’s engineers are so darned smart that the software does what it thinks I should do. The software does not do what I want to do. Google Images is moving along this knife edge. I wanted a picture and I got an exploit.
How about getting the basics right? Skip the fancy talk about semantics and find a way to deliver the basics—one click access to an image without the accompaniment of some high IQ teenagers who want me to practice my command line skills. (For more on Google security check out “Chrome’s Security Crown Slips”. Wow. Pretty exciting. What happens to folks who, unlike me, don’t know how to work around an exploit, losing access to their computer and maybe data. No more Google Images for me.
Stephen E Arnold, May 10, 2011
Freebie just like Google images’ malware
Protected: Avoiding the Pitfalls of SharePoint Social Media
May 5, 2011
Vertical Blog: A New Angle for Online
April 27, 2011
Our Overflight intelligence system tracks certain types of information. There are some basic Overflight services available from the ArnoldIT.com Web log. We have other systems running as well. One of these identified a new blog called Backnotch. Published by Jean Glaceau appears to cover one narrow segment of online information; namely, transactions related to Angola. What’s interesting about the publication is that the content appears to be summaries of publicly-accessible information. The Backnotch service is similar to a traditional abstracting service. The principal difference is that the contributors are offering some broad editorial comments. These comments, plus the collection of articles, comprise a useful resource for anyone looking at what types of open source information cover certain activities associated with Angola and related topics.
According to the About page of the blog:
In my first week of work, I decided to narrow my focus to a handful of issues which are covered in the open source literature. The information I located struck me as similar in some ways to a fictional story or a Hollywood film. Going forward, I want to continue to explore how the open source information follows a particular story and what entities surface in those stories.
The publisher is Jean Glaceau. When we did a couple of queries for him, we found a number of individuals in the hit list. We were not able to determine which Glaceau was running the research project behind the information service. We wrote the email address for the blog, but we had not received an answer as we queued this story for publication.
We checked out the search engine for the service, and it appears to have a backfile of about 60 articles. If Mr. Glaceau keeps up his current pace of content production, the service will generate about 50 to 60 stories each month. Our view is that online has moved from vertical search to vertical “finding” services.
We will check back with Backnotch in a couple of months. Worth a look.
Stephen E Arnold, April 27, 2011
Freebie
Google and Microsoft Security Poker: A New Round
April 15, 2011
I ignored the push backs, reinterpretations, and revelations about the murkiness of both Google’s and Microsoft’s security certifications. I was hoping the “security card” story would die a quiet death as the pundits chased the resurgence of RIM with its co-dependent tablet or the Google financial results.
No such luck.
Navigate to “Google Lashes Back at Microsoft over Accusations of Lying.” The story introduces for me a couple of interesting elements. First, this passage sets the tone of the “security card” discussion:
Google said Wednesday it does have FISMA certification from the General Services Administration. FISMA stands for Federal Information Security Management Act. Microsoft said Monday that certification for one agency, the GSA, does not automatically qualify software for another agency, the Department of the Interior. The Department of the Interior had earlier chosen Microsoft’s cloud software over Google. Google sued, claiming the department had not fairly considered its bid, and successfully forced the department to re-evaluate its purchase.
What’s nifty about this approach is that it puts the “debate” in the 10 point font used for government documents. Who really knows what’s inside these “rules of the road”. Agency policies, the role of the General Services Administration, and the notion of duplication of effort within the government may indicate that both Google and Microsoft are on a 50-50 basis.
The other point is the reminder that Google sued a Federal agency. Now, I don’t know about you, but that’s an opportunity for consultants to attend quite a few meetings.
Second, my view is that the “security card” is a potentially corrosive issue within the US government. Calling attention to the idiosyncrasies of how certain security certifications “work” is something that I would keep as part of specific project discussions and out of news releases, blog posts, and other modern conduits.
Stephen E Arnold, April 15, 2011
Freebie
Google and Microsoft: The Security Card
April 11, 2011
The source is Microsoft. I don’t know if the information in “Google’s Misleading Security Claims to the Government Raise Serious Questions” is accurate. The tension between Microsoft and Google seems to be increasing. The allegation that Google is behaving like a combination of Andrew Carnegie, John D. Rockefeller, and Commodore Vanderbilt brightened my blog a few days ago. Now we get Microsoft’s playing the security card.
Powerful stuff and a maneuver that will have to be discussed by the various government decision makers as long as the budget keeps on paying them. Toss in a few assorted blue chip and azure chip consultants, and you have a recipe for investigations, depositions, study groups, and PR excitement. Good news for some I guess.
Here’s a passage I noted:
…Imagine my [Microsoft professional’s] surprise on Friday afternoon when, after some delay, some of the court papers were unsealed, at least in part. There for all to see was a statement by the Department of Justice contradicting Google on one of its basic FISMA claims. The DOJ’s brief says (on page 13) “On December 16, 2010, counsel for the Government learned that, notwithstanding Google’s representations to the public at large, its counsel, the GAO and this Court, it appears that Google’s Google Apps for Government does not have FISMA certification. This revelation was apparently as striking to the lawyers at the Department of Justice as it was to me. The Justice Department brief states “We immediately contacted counsel for Google, shared this information and advised counsel that we would bring this to the Court’s attention.
My view on this matter is that until more information becomes available to me in Harrod’s Creek, the best I can do is assert, “Interesting.”
The impact of the security card is of interest to fewer people than own iPods but ultimately may be more important than some of the other hoo-hah about Google. The notion of stretching security like a rubber sheet may be one of those plays that persist through time. Like a clever chees move from a young Bobby Fischer, specialists may pick up the play and make it a model for young Microsoft emulators to absorb, modify, and use to devastating affect.
Best to be prepared for these sorts of things. Looking back won’t do the job. The security card is a big play.
Stephen E Arnold, April 11, 2011
Freebie
For Your Popular Passwords Stop List
April 1, 2011
Short honk: Here in the backwoods we love password lists. The “Top 20 Passwords of All Time” is interesting. In Infographic format, you can add to your stop list these sequences. I like “123456”. Yes!
Stephen E Arnold, April 1, 2011
Freebie for April the first
Android Security: Is This an Oxymoron?
March 30, 2011
When I read this, I said sub vocally, “Wow.”
The H Security reports, “Google’s Security Tool Infected With Trojan” explains how the new Android Market Security Tool, developed to delete the recent contaminated apps, actually is infested with a Trojan virus. Users are unaware about the newest infection after a rash of harmful apps hit the Android phone in recent weeks. They were informed to expect the new tool to clean up their phones, but it’s making greater knots in the mangled data. Good news is that the infected security tool is only on an unregulated network in China.
According to an initial analysis by Symantec, the Trojan contacts a control server and is able to send text messages if commanded to do so. According to F-Secure, BGServ (as the contaminant is called) also sends user data to the server after being installed.
Wow.
We are offered the same age- old advice to protect our technology from digital infection: don’t open the application unless you know who sent it. Great advice for everyone in general and maybe for Android folks in particular.
Whitney Grace, March 30, 2011
Freebie
Google and Its Alleged Trojan
March 18, 2011
The H Security reports “Google’s Security Tool Infected with Trojan.” Wow. Just. . . wow. Google’s Android Market Security Tool, intended to delete contaminated apps, has itself been contaminated by a trojan the H Security article alleges:
As users have been told to expect to see the application running on their phones clearing up the damage the Droiddream trojan did, there’s a good chance they won’t be suspicious of it. According to reports though, at present, the trojan-infested version of the tool is only in circulation on an “un-regulated third-party Chinese marketplace” and appears to only affect users of a particular Chinese mobile network.
Okay, so we in the States don’t have to worry about this. For now. The program, known as BGServ, sends texts containing user data to a control server. Think twice about any app that asks for permission to send text messages. If this allegation is accurate, will it have an impact on Google’s enterprise efforts? I surmise that my colleagues and I would think twice, assuming this shocker is true.
Cynthia Murrell March 18, 2011
Freebie
US Government, Domains, and Search
February 11, 2011
There’s been a flurry of search-related news from the US government. We have noticed that some health related content is moving around. Hearings with Health and Human Services executives produced 404 errors last week. We were able to locate the documents, but a 404 is suggestive. The FBI rolled out its new search service. Then we read about a security compliance glitch.
We found it interesting that half of the US Federal government’s sites have failed to comply with mandated security measures. In an article appearing on the NetworkWorld news site, we learned that The Office of Management and Budget issued said mandate requiring agencies to add DNS Security Extensions (DNSSEC) in 2008. The piece goes on to cite a study which claims that as of January 2011, fifty one percent of these agencies have failed to comply.
“DNSSEC is an Internet standard that prevents hackers from hijacking Web traffic and redirecting it to bogus sites. It allows Web sites to verify their domain names and corresponding IP addresses using digital signatures and public key encryption.”
Understanding the importance of safeguarding data and activity online, especially on the federal level, the question becomes why has the failure to adopt this precaution been so broad? Mark Beckett, Vice President of Marketing and Product Management for Secure64, offers his view stating that while the numbers of those in compliance this year as opposed to last have more than doubled, it is the low rate itself which illustrates the difficulty in employing the security measure. Beckett feels that as more parent domains and sub domains sign, the market for protection will expand creating more user friendly DNSSEC. Search can be tricky if the crawlers cannot access or find the content. Alternatively, search can be even more exciting if content that should not be indexed is.
Stephen E Arnold, February 11, 2011
Freebie
-
- Subscribe to Beyond Search
Feature archive
News archive
-
